We received an email from an unknown person at hotmail.
In the email they have listed lots of info that we believe is only available by logging into the server. For example, database names, users and encrypted passwords. We don't know how they logged in.

In response we are upgrading or patching as much software as possible, including litespeed.

Are there patches for 4.1.10 or should we upgrade to the latest version?

4.1.10 was out for quite a while and no one has reported an issue like this (system got compromised, etc). more likely it was caused by your other software/applications. upgrade to the latest lsws version may not make any difference.